Legal claims defining the scope of protection. Each claim is shown in both the original legal language and a plain English translation.
1. A processing system comprising: a central processor; a BIOS memory device including a boot program; a BIOS protection device including an internal memory; a memory address path and a data path, each configured to provide communication between the processor, the BIOS memory device and the BIOS protection device; and wherein the BIOS protection device is configured to store a copy of the boot program in the internal memory as the BIOS protection device verifies the authenticity of the boot program, wherein the BIOS protection device is further configured to control the memory address path and to disable the data path to the central processor to prevent execution of the boot program until the boot program is authenticated, and wherein the BIOS protection device relinquishes control of the memory address path and the data path to the central processor with access to the copy of the boot program from the internal memory for execution by the central processor when the boot program is successfully authenticated such that execution of the boot program is no longer prevented.
A computer system protects its BIOS during startup. It has a CPU, BIOS memory containing the boot program, and a BIOS protection device with its own internal memory. The BIOS protection device sits between the CPU and BIOS memory, controlling the address and data paths. Initially, the BIOS protection device copies the boot program to its internal memory. It then blocks the CPU from accessing the BIOS memory by controlling the address path and disabling the data path. The BIOS protection device authenticates the boot program. If authentication succeeds, the BIOS protection device allows the CPU to access the verified boot program (the copy in its internal memory) and starts executing.
2. The system as claimed in claim 1 wherein the BIOS protection device is in communication between the central processor and the BIOS memory device, wherein the BIOS protection device includes a memory address path interface and a data path interface, and an authentication processor, wherein the BIOS protection device is configured to control the memory address path and the data path to which the memory address path interface and the data path interface are connected, and wherein the authentication processor is configured to interrogate the BIOS memory device connected to the memory address path and the data path to determine if the boot program contained in the BIOS memory device is authentic, and if the boot program is determined to be authentic permit execution of the copy of the boot program by the central processor.
The BIOS protection device, positioned between the CPU and BIOS memory, has address and data path interfaces, and an authentication processor. It controls the address and data paths through these interfaces. The authentication processor examines the BIOS memory to verify the boot program's authenticity. If authentic, the system permits the CPU to execute a copy of the boot program. This system ensures that the boot process begins only with a verified BIOS, preventing unauthorized code from running during system startup.
3. The system as claimed in claim 2 , wherein the memory address path interface connection and the data path interface are selected from a group comprising a serial interface, a totally non-multiplexed bus, an Intel™ Low Pin Count (LPC) bus structure.
The address and data path connections between the BIOS protection device and the rest of the system use a serial interface, a totally non-multiplexed bus, or an Intel Low Pin Count (LPC) bus structure. This selection of interfaces allows for flexibility in implementation, balancing speed, complexity, and the number of physical connections required. This specifically refers to the system where the BIOS protection device, positioned between the CPU and BIOS memory, has address and data path interfaces, and an authentication processor; and the authentication processor examines the BIOS memory to verify the boot program's authenticity and allows the CPU to execute a copy of the boot program if authentic.
4. The system as claimed in claim 3 , wherein the memory address path interface connection and the data path interface comprise an Intel™ Low Pin Count (LPC) bus structure.
The address and data path connections between the BIOS protection device and other components use an Intel Low Pin Count (LPC) bus structure. This builds upon the previous description using an LPC bus for communication between the authentication processor and the BIOS memory device. The LPC bus is a common interface for connecting low-bandwidth devices to a motherboard, enabling efficient and standardized communication for BIOS authentication. This applies to the system where the BIOS protection device has an authentication processor, verifies the boot program, and lets the CPU use it when authenticated.
5. The system as claimed in claim 1 , wherein the BIOS memory device includes a cryptographic structure located at a predetermined location in the BIOS memory device.
The BIOS memory has a cryptographic structure, like a digital signature, stored at a specific, known location. This cryptographic structure is used for verifying the authenticity of the boot program. This structure enables the BIOS protection device to perform an integrity check, ensuring the BIOS hasn't been tampered with, by confirming the presence and validity of the cryptographic signature. This signature supports the authentication process performed by the BIOS protection device before allowing the CPU to execute the boot program.
6. The system as claimed in claim 5 wherein the cryptrographic structure is a digital signature and the BIOS protection device is configured to calculate the value of the cryptographic structure from contents of the BIOS memory device and an internal public key, and wherein the BIOS protection device interrogates the BIOS memory device to verify that a correct cryptrographic structure is present and corresponds with at least part of the boot program stored in the BIOS memory device.
The cryptographic structure in the BIOS memory is a digital signature. The BIOS protection device calculates the expected value of this signature using the BIOS contents and an internal public key. It then compares this calculated value with the signature stored in the BIOS. The BIOS protection device checks if the stored signature is correct and matches at least part of the boot program. This verification process confirms the integrity and authenticity of the BIOS, preventing unauthorized code from running, before the CPU starts the boot process.
7. The system as claimed in claim 1 wherein the central processor, the BIOS memory device and the BIOS protection device are mounted on a motherboard configured to be inoperative if the BIOS protection device is not present on said motherboard.
The CPU, BIOS memory, and BIOS protection device are all mounted on a motherboard. Crucially, the motherboard is designed to not function if the BIOS protection device is missing. This dependency ensures that the BIOS protection mechanism is always active and cannot be bypassed by simply removing the protection device. This hardware-level enforcement prevents unauthorized BIOS modifications and enhances system security. This refers back to the system which includes a CPU, BIOS, a protection device that copies/authenticates the BIOS before letting the CPU use it.
8. The system as claimed in claim 7 , wherein said motherboard has an exitable reset state, and said BIOS protection device further includes a reset control circuit configured to provide a reset signal being responsive to said reset signal to prevent the motherboard from exiting the reset state, and wherein the motherboard is further prevented from exiting the reset state if the BIOS protection device is not present on said motherboard.
The motherboard has a reset state that it can exit. The BIOS protection device includes a reset control circuit. This circuit holds the motherboard in the reset state, preventing it from starting up. If the BIOS protection device is absent, the motherboard also remains in the reset state, preventing operation. The reset signal is controlled to ensure that the motherboard cannot begin executing code until the BIOS has been authenticated, and also serves to ensure the motherboard cannot bypass the BIOS protection mechanism completely.
9. The system as claimed in claim 8 , wherein the BIOS protection device is configured to hold the reset signal in the reset state while the authentication of the boot program is being performed.
The BIOS protection device keeps the reset signal active, holding the motherboard in the reset state, while it is performing the boot program authentication process. This prevents the CPU from prematurely accessing the BIOS or starting the boot process before the BIOS's integrity has been verified. This temporary halt ensures that only a trusted BIOS image is executed, preventing potentially malicious code from running. The reset control works in conjunction with the authentication process.
10. The system as claimed in claim 9 , wherein the BIOS protection device is further configured to release the reset signal allowing the central processor to commence operation when the authentication is successful.
After successfully authenticating the boot program, the BIOS protection device releases the reset signal. This allows the CPU to start operating and begin the boot process using the verified BIOS. The release of the reset signal signifies that the system is secure and that the boot process can proceed with confidence. This process continues after the authentication by the protection device, as it allows the central processor to operate normally.
11. The system as claimed in claim 1 wherein the BIOS protection device is configured to insert wait cycles to disable the central processor while authenticating the BIOS memory device.
The BIOS protection device inserts wait cycles to deliberately slow down or halt the CPU while it is authenticating the BIOS memory. This technique prevents the CPU from accessing or executing any code from the BIOS memory until the authentication process is complete. By inserting wait cycles, the BIOS protection device gains the necessary time to perform its authentication checks without interference from the CPU, guaranteeing a secure boot process. This is an alternative method of blocking the central processor.
Unknown
December 30, 2014
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.